Sneaky Gugi banking trojan sidesteps Android OS security barricades

Overlay malware gets angry if you try and say no

Updated Gugi, a bank-account-raiding trojan for smartphones, has been retooled to bypass Android 6's security features designed to block phishing attempts and ransomware infections.

The modified malware forces users into giving it the ability to overlay genuine apps, send and view SMSes, make calls, and more. The software nasty is distributed through social engineering, usually with a spam SMS that encourages users to click on a malicious link.

The Gugi trojan is geared toward stealing users' mobile banking credentials by overlaying their genuine banking applications with counterfeit apps. The malware also attempts to seize credit card details using much the same trick of overlaying the Google Play Store app with hacker-controlled code.

Android OS version 6 was launched late last year with security features designed specifically to block such attacks. Among other things, apps now need the user's permission to overlay other apps, and to request approval for actions such as sending SMS messages and making calls.

Modifications of the Gugi trojan allow the malicious code to circumvent these two security controls.

Once installed on the device, the trojan sets about getting the access rights it requires. When ready, the malware displays the following sign on the user's screen: "Additional rights needed to work with graphics and windows." There is only one button: "Provide."

Users are subsequently presented with a screen asking them to authorize app overlay. After receiving this permission, the trojan blocks the device screen with a message asking for "Trojan Device Administrator" rights, before asking for permission to send and view SMS messages and to make calls. If the trojan does not receive all the permissions it needs, it completely blocks the infected device.

More on how the Gugi Android trojan bypasses elements of Android 6 security can be found on the blog here.

The Gugi banking trojan has been known about since December 2015, with the modified mobile malware first hitting the radar screens of security researchers in June 2016.

The vast majority (93 per cent) of users attacked by the Gugi trojan are based in Russia. Between April and early August 2016 there was a ten-fold increase in its number of victims, according to security researchers at Kaspersky Lab. ® Updated at 11.00 GMT September 9 to add: In a statement, Google said it was on top of the problem.

"We appreciate Kaspersky's research and their efforts to keep Android users safe. We're aware of this issue and the apps in question are currently being removed automatically on all devices with Verify Apps enabled. The applications were never published in Google Play."®

Biting the hand that feeds IT © 1998–2021